Claude Code ignores ignore rules meant to block secrets • The Register

https://www.theregister.com/2026/01/28/claude_code_ai_secrets_files/

Publish Date: 2026-01-28 15:42:00

Don’t you hate it when machines can’t follow simple instructions? Anthropic’s Claude Code can’t take “ignore” for an answer and continues to read passwords and API keys, even when your secrets file is supposed to be blocked.

Software developers often store secrets – passwords, tokens, API keys, and other credentials – in .env files within project directories. And if they do so, they’re supposed to ensure that the .env file does not get posted in a publicly accessible .git repository.

A common way to do this is to create an entry in a .gitignore file that tells the developer’s Git software to ignore that file when copying a local repo to a remote server.

Claude implements something similar, a .claudeignore file.

When asked, “If I make a .env file, how do I keep you from reading it?”, Claude responded, “You can add .env to a .claudeignore file in your project root. This works like .gitignore — Claude Code will refuse to read any files matching patterns listed there.”

But Claude is incorrect. As described in this Pastebin post, Claude can read the contents of an .env file despite an entry in the .claudeignore file that ought to prevent access.

The Register reproduced this result. We created a directory, created an .env file with sample secrets, added a .claudeignore file with “.env” and “.env.*” and then started Claude Code (v2.1.12) via the CLI. We asked Claude to read the .env file and it did so – which would not happen if Claude respected .claudeignore entries.

This has potential security implications, particularly for agents – these tool-enabled AI models could be induced to share stored secrets via indirect prompt injection.

What’s more, Claude will also ignore the presence of “.env” in a .gitignore file. It does so despite a default /config flag that sets “Respect .gitignore in file picker” to…

Source